MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ddd1024838abb16c572548d692c424060862ae14ef46a7f50e770be18cc9e12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ddd1024838abb16c572548d692c424060862ae14ef46a7f50e770be18cc9e12
SHA3-384 hash: ffd5a7808b26cacb2effbc425978f8f0378b98973b26414429c2b7fa53308c864ccc61ac2b16a04b3ca83cbbe9e31a96
SHA1 hash: 317e7e9078c16c3f201b633e7a3376c8774af836
MD5 hash: acc01db49cea4624b08ae4147c7f6ba1
humanhash: december-cold-mango-carolina
File name:MRKU8781602 DOCS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'744 bytes
First seen:2021-07-20 09:00:13 UTC
Last seen:2021-07-20 09:51:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JNmpL5s1cgwusjxW9/4Ki/gcc98fYgsVtdkJEftmwwDHIbB19Rdbz2B3ZfCb47:J0tIejsHigcc9WYhVtdQHIF19RduB3Zq
Threatray 7'058 similar samples on MalwareBazaar
TLSH T117F4BE38509459AFC632A533C668EB00FEF359937232CD0A528BE6871F0B543599EF6D
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MRKU8781602 DOCS.exe
Verdict:
Malicious activity
Analysis date:
2021-07-20 09:13:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3b60e1a6-1761-4770-906a-f132cc3c3582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172733/
Detection(s):
SecuriteInfo.com.ArtemisACC01DB49CEA.22548.2572.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1eb95a57-b393-444d-b6e4-57db1d842ba1
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818761
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ddd1024838abb16c572548d692c424060862ae14ef46a7f50e770be18cc9e12/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 04:55:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxorajedrk5rnrlsksgwslccibqimkxbj32gu72q45yl4ggmtyja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
431bfd160719c61566690f962efbbd9614d0083c258afab14184b185805373a9
AgentTesla
5caec2d3d8e27a3360ccfc76d30f99fd6c461b8d2fbf0989d62893fca758ab09
AgentTesla
637c08924afdfb02e35a02c81b72ccde2f0e3436f1f7e1747eb86b6b6ee5bd68
AgentTesla
b091935387e34aeb39e80d1172bd83417a3e11bb78a3d1ff2fed2151386b1cdd
AgentTesla
d20aff03dd6394b498b2c2cbb6696120e93595b8c8141e077566348faf251d71
AgentTesla
ea08fc031bc184b29f528ea6f2d34a8e8537356cb2b36826c653d769674601b3
AgentTesla
ea940d87cf18d1ce5483116eb72977b4982f7df252fb6a096d3a8cdcb732315b
AgentTesla
+ 7'048 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210720-nrz6d9dyln/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument
Unpacked files
SH256 hash:
6fc77eef943a5bec9cf7aafa2df8c35947c44c950a5749d9f621e3eb979ad409
MD5 hash:
40ba2e70645d704012ad8ef7e4a910c3
SHA1 hash:
fad88203ee77a1728147eed1bddcbbaf91427247
Link:
https://www.unpac.me/results/6386c9f0-920b-47b9-9cc1-dd36f8bdb0c9/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/6386c9f0-920b-47b9-9cc1-dd36f8bdb0c9/
SH256 hash:
b91307eeae6495cc3202fb1ec39e3f58534be4b1a60795d0b31fd52c76f040d4
MD5 hash:
19f1df1e9b8f809b61dab4490cdc6e9c
SHA1 hash:
9e2e47b1ae0d94e894a88ce28a7c8a7c1a00e8ef
Link:
https://www.unpac.me/results/6386c9f0-920b-47b9-9cc1-dd36f8bdb0c9/
Parent samples :
827774cd3d42753b5a959a706a3ae0d989cd6b1cdb9eb54590acdc37f086d4b4
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
57191284c75940f3a637266acc38d3a503ab97a52c9d99a0a85ff61d27420b6f
44adde49a051c923e1ed89d0adfa105fb66f85bebe630f625c29e25f93da3043
604c52301a76a47042112a3a7fca37f1c6c205a0888a6e28c5555406c55b2279
SH256 hash:
7ddd1024838abb16c572548d692c424060862ae14ef46a7f50e770be18cc9e12
MD5 hash:
acc01db49cea4624b08ae4147c7f6ba1
SHA1 hash:
317e7e9078c16c3f201b633e7a3376c8774af836
Link:
https://www.unpac.me/results/6386c9f0-920b-47b9-9cc1-dd36f8bdb0c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ddd1024838abb16c572548d692c424060862ae14ef46a7f50e770be18cc9e12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3b37d2e23d1dc6f89751cac3a8b4a624926ed0621f572737dbcd983bc8f689ef

AgentTesla

Executable exe 7ddd1024838abb16c572548d692c424060862ae14ef46a7f50e770be18cc9e12

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3b37d2e23d1dc6f89751cac3a8b4a624926ed0621f572737dbcd983bc8f689ef
Cape
Cape
https://www.capesandbox.com/analysis/172733/

Comments